Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits∗

Total Page:16

File Type:pdf, Size:1020Kb

Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits∗ Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits∗ Dan Bonehy Craig Gentryz Sergey Gorbunovx Shai Halevi{ Valeria Nikolaenkok Gil Segev∗∗ Vinod Vaikuntanathanyy Dhinakaran Vinayagamurthyzz May 20, 2014 Abstract We construct the first (key-policy) attribute-based encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fan-in gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attribute-based system using a mechanism we call fully key-homomorphic encryption which is a public-key system that lets anyone translate a ciphertext encrypted under a public-key x into a ciphertext encrypted under the public-key (f(x); f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (key-policy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor. ∗This is the full version of a paper that appeared in Eurocrypt 2014 [BGG+14]. This work is a merge of two closely related papers [GGH+13d, BNS13]. yStanford University, Stanford, CA, USA. Email: [email protected]. zIBM Research, Yorktown, NY, USA. Email: [email protected]. xMIT, Cambridge, MA, USA. Email: [email protected]. This work was partially done while visiting IBM T. J. Watson Research Center. {IBM Research, Yorktown, NY, USA. Email: [email protected]. kStanford University, Stanford, CA, USA. Email: [email protected]. ∗∗Hebrew University, Jerusalem, Israel. Email: [email protected]. This work was partially done while the author was visiting Stanford University. yyMIT, Cambridge, MA, USA. Email: [email protected]. zzUniversity of Toronto, Toronto, Ontario, Canada. Email: [email protected]. 1 1 Introduction (Key-policy) attribute-based encryption [SW05, GPSW06] is a public-key encryption mechanism where every secret key skf is associated with some function f : X!Y and an encryption of a message µ is labeled with a public attribute vector x 2 X . The encryption of µ can be decrypted using skf only if f(x) = 0 2 Y. Intuitively, the security requirement is collusion resistance: a coalition of users learns nothing about the plaintext message µ if none of their individual keys are authorized to decrypt the ciphertext. Attribute-based encryption (ABE) is a powerful generalization of identity-based encryption [Sha84, BF03, Coc01] and fuzzy IBE [SW05, ABV+12] and is a special case of functional encryption [BSW11]. It is used as a building-block in applications that demand complex access control to encrypted data [PTMW06], in designing protocols for verifiably outsourcing computations [PRV12], and for single-use functional encryption [GKP+13b]. Here we focus on key-policy ABE where the access policy is embedded in the secret key. The dual notion called ciphertext-policy ABE can be realized from this using universal circuits, as explained in [GPSW06, GGH+13c]. The past few years have seen much progress in constructing secure and efficient ABE schemes from different assumptions and for different settings. The first constructions [GPSW06, LOS+10, OT10, LW12, Wat12, Boy13, HW13] apply to predicates computable by Boolean formulas which are a subclass of log-space computations. More recently, important progress has been made on con- structions for the set of all polynomial-size circuits: Gorbunov, Vaikuntanathan, and Wee [GVW13] gave a construction from the Learning With Errors (LWE) problem and Garg, Gentry, Halevi, Sa- hai, and Waters [GGH+13c] gave a construction using multilinear maps. In both constructions the policy functions are represented as Boolean circuits composed of fan-in 2 gates and the secret key size is proportional to the size of the circuit. Our results. We present two new key-policy ABE systems. Our first system, which is the centerpiece of this paper, is an ABE based on the learning with errors problem [Reg05] that supports functions f represented as arithmetic circuits with large fan-in gates. It has secret keys whose size is proportional to depth of the circuit for f, not its size. Secret keys in previous ABE constructions contained an element (such as a matrix) for every gate or wire in the circuit. In our scheme the secret key is a single matrix corresponding only to the final output wire from the circuit. We prove selective security of the system and observe that by a standard complexity leveraging argument (as in [BB11]) the system can be made adaptively secure. Theorem 1.1 (Informal). Let λ be the security parameter. Assuming subexponential LWE, there is an ABE scheme for the class of functions with depth-d circuits where the size of the secret key for a circuit C is poly(λ, d). Our second ABE system, based on multilinear maps ([BS02],[GGH13a]), optimizes the cipher- text size rather than the secret key size. The construction here relies on a generalization of broad- cast encryption [FN93, BGW05, BW13] and the attribute-based encryption scheme of [GGH+13c]. Previously, ABE schemes with short ciphertexts were known only for the class of Boolean formu- las [ALdP11]. Theorem 1.2 (Informal). Let λ be the security parameter. Assuming that d-level multilinear maps exist, there is an ABE scheme for the class of functions with depth-d circuits where the size of the encryption of an attribute vector x is jxj + poly(λ, d). 2 Our ABE schemes result in a number of applications and have many desirable features, which we describe next. Applications to reusable garbled circuits. Over the years, garbled circuits and variants have found many uses: in two party [Yao86] and multi-party secure protocols [GMW87, BMR90], one- time programs [GKR08], key-dependent message security [BHHI10], verifiable computation [GGP10], homomorphic computations [GHV10] and many others. Classical circuit garbling schemes produced single-use garbled circuits which could only be used in conjunction with one garbled input. Gold- wasser et al. [GKP+13b] recently showed the first fully reusable circuit garbling schemes and used them to construct token-based program obfuscation schemes and k-time programs [GKP+13b]. Most known constructions of both single-use and reusable garbled circuits proceed by garbling each gate to produce a garbled truth table, resulting in a multiplicative size blowup of poly(λ). A fundamental question regarding garbling schemes is: How small can the garbled circuit be? There are three exceptions to the gate-by-gate garbling method that we are aware of. The first is the \free XOR" optimization for single-use garbling schemes introduced by Kolesnikov and Schneider [KS08] where one produces garbled tables only for the AND gates in the circuit C. This still results in a multiplicative poly(λ) overhead but proportional to the number of AND gates (as opposed to the total number of gates). Secondly, Lu and Ostrovsky [LO13] recently showed a single-use garbling scheme for RAM programs, where the size of the garbled program grows as poly(λ) times its running time. Finally, Goldwasser et al. [GKP+13a] show how to (reusably) garble non-uniform Turing machines under a non-standard and non-falsifiable assumption and incurring a multiplicative poly(λ) overhead in the size of the non-uniformity of the machine. In short, all known garbling schemes (even in the single-use setting) suffer from a multiplicative overhead of poly(λ) in the circuit size or the running time. Using our first ABE scheme (based on LWE) in conjunction with the techniques of Goldwasser et al. [GKP+13b], we obtain the first reusable garbled circuits whose size is jCj + poly(λ, d). For large and shallow circuits, such as those that arise from database lookup, search and some machine learning applications, this gives significant bandwidth savings over previous methods (even in the single use setting). Theorem 1.3 (Informal). Assuming subexponential LWE, there is a reusable circuit garbling scheme that garbles a depth-d circuit C into a circuit C^ such that jC^j = jCj + poly(λ, d), and garbles an input x into an encoded input x^ such that jx^j = jxj · poly(λ, d). We next ask if we can obtain short garbled inputs of size jx^j = jxj+poly(λ, d), analogous to what we achieved for the garbled circuit. In a beautiful recent work, Applebaum, Ishai, Kushilevitz and Waters [AIKW13] showed constructions of single-use garbled circuits with short garbled inputs of size jx^j = jxj + poly(λ). We remark that while their garbled inputs are short, their garbled circuits still incur a multiplicative poly(λ) overhead. Using our second ABE scheme (based on multilinear maps) in conjunction with the techniques of Goldwasser et al. [GKP+13b], we obtain the first reusable garbling scheme with garbled inputs of size jxj + poly(λ, d). Theorem 1.4 (Informal).
Recommended publications
  • Research Notices
    AMERICAN MATHEMATICAL SOCIETY Research in Collegiate Mathematics Education. V Annie Selden, Tennessee Technological University, Cookeville, Ed Dubinsky, Kent State University, OH, Guershon Hare I, University of California San Diego, La jolla, and Fernando Hitt, C/NVESTAV, Mexico, Editors This volume presents state-of-the-art research on understanding, teaching, and learning mathematics at the post-secondary level. The articles are peer-reviewed for two major features: (I) advancing our understanding of collegiate mathematics education, and (2) readability by a wide audience of practicing mathematicians interested in issues affecting their students. This is not a collection of scholarly arcana, but a compilation of useful and informative research regarding how students think about and learn mathematics. This series is published in cooperation with the Mathematical Association of America. CBMS Issues in Mathematics Education, Volume 12; 2003; 206 pages; Softcover; ISBN 0-8218-3302-2; List $49;AII individuals $39; Order code CBMATH/12N044 MATHEMATICS EDUCATION Also of interest .. RESEARCH: AGul<lelbrthe Mathematics Education Research: Hothomatldan- A Guide for the Research Mathematician --lllll'tj.M...,.a.,-- Curtis McKnight, Andy Magid, and -- Teri J. Murphy, University of Oklahoma, Norman, and Michelynn McKnight, Norman, OK 2000; I 06 pages; Softcover; ISBN 0-8218-20 16-8; List $20;AII AMS members $16; Order code MERN044 Teaching Mathematics in Colleges and Universities: Case Studies for Today's Classroom Graduate Student Edition Faculty
    [Show full text]
  • A Decade of Lattice Cryptography
    Full text available at: http://dx.doi.org/10.1561/0400000074 A Decade of Lattice Cryptography Chris Peikert Computer Science and Engineering University of Michigan, United States Boston — Delft Full text available at: http://dx.doi.org/10.1561/0400000074 Foundations and Trends R in Theoretical Computer Science Published, sold and distributed by: now Publishers Inc. PO Box 1024 Hanover, MA 02339 United States Tel. +1-781-985-4510 www.nowpublishers.com [email protected] Outside North America: now Publishers Inc. PO Box 179 2600 AD Delft The Netherlands Tel. +31-6-51115274 The preferred citation for this publication is C. Peikert. A Decade of Lattice Cryptography. Foundations and Trends R in Theoretical Computer Science, vol. 10, no. 4, pp. 283–424, 2014. R This Foundations and Trends issue was typeset in LATEX using a class file designed by Neal Parikh. Printed on acid-free paper. ISBN: 978-1-68083-113-9 c 2016 C. Peikert All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Photocopying. In the USA: This journal is registered at the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923. Authorization to photocopy items for in- ternal or personal use, or the internal or personal use of specific clients, is granted by now Publishers Inc for users registered with the Copyright Clearance Center (CCC). The ‘services’ for users can be found on the internet at: www.copyright.com For those organizations that have been granted a photocopy license, a separate system of payment has been arranged.
    [Show full text]
  • The Best Nurturers in Computer Science Research
    The Best Nurturers in Computer Science Research Bharath Kumar M. Y. N. Srikant IISc-CSA-TR-2004-10 http://archive.csa.iisc.ernet.in/TR/2004/10/ Computer Science and Automation Indian Institute of Science, India October 2004 The Best Nurturers in Computer Science Research Bharath Kumar M.∗ Y. N. Srikant† Abstract The paper presents a heuristic for mining nurturers in temporally organized collaboration networks: people who facilitate the growth and success of the young ones. Specifically, this heuristic is applied to the computer science bibliographic data to find the best nurturers in computer science research. The measure of success is parameterized, and the paper demonstrates experiments and results with publication count and citations as success metrics. Rather than just the nurturer’s success, the heuristic captures the influence he has had in the indepen- dent success of the relatively young in the network. These results can hence be a useful resource to graduate students and post-doctoral can- didates. The heuristic is extended to accurately yield ranked nurturers inside a particular time period. Interestingly, there is a recognizable deviation between the rankings of the most successful researchers and the best nurturers, which although is obvious from a social perspective has not been statistically demonstrated. Keywords: Social Network Analysis, Bibliometrics, Temporal Data Mining. 1 Introduction Consider a student Arjun, who has finished his under-graduate degree in Computer Science, and is seeking a PhD degree followed by a successful career in Computer Science research. How does he choose his research advisor? He has the following options with him: 1. Look up the rankings of various universities [1], and apply to any “rea- sonably good” professor in any of the top universities.
    [Show full text]
  • Algebraic Pseudorandom Functions with Improved Efficiency from the Augmented Cascade*
    Algebraic Pseudorandom Functions with Improved Efficiency from the Augmented Cascade* DAN BONEH† HART MONTGOMERY‡ ANANTH RAGHUNATHAN§ Department of Computer Science, Stanford University fdabo,hartm,[email protected] September 8, 2020 Abstract We construct an algebraic pseudorandom function (PRF) that is more efficient than the classic Naor- Reingold algebraic PRF. Our PRF is the result of adapting the cascade construction, which is the basis of HMAC, to the algebraic settings. To do so we define an augmented cascade and prove it secure when the underlying PRF satisfies a property called parallel security. We then use the augmented cascade to build new algebraic PRFs. The algebraic structure of our PRF leads to an efficient large-domain Verifiable Random Function (VRF) and a large-domain simulatable VRF. 1 Introduction Pseudorandom functions (PRFs), first defined by Goldreich, Goldwasser, and Micali [GGM86], are a fun- damental building block in cryptography and have numerous applications. They are used for encryption, message integrity, signatures, key derivation, user authentication, and many other cryptographic mecha- nisms. Beyond cryptography, PRFs are used to defend against denial of service attacks [Ber96, CW03] and even to prove lower bounds in learning theory. In a nutshell, a PRF is indistinguishable from a truly random function. We give precise definitions in the next section. The fastest PRFs are built from block ciphers like AES and security is based on ad-hoc inter- active assumptions. In 1996, Naor and Reingold [NR97] presented an elegant PRF whose security can be deduced from the hardness of the Decision Diffie-Hellman problem (DDH) defined in the next section.
    [Show full text]
  • Dan Boneh Cryptography Professor, Professor of Electrical Engineering and Senior Fellow at the Freeman Spogli Institute for International Studies Computer Science
    Dan Boneh Cryptography Professor, Professor of Electrical Engineering and Senior Fellow at the Freeman Spogli Institute for International Studies Computer Science CONTACT INFORMATION • Administrator Ruth Harris - Administrative Associate Email [email protected] Tel (650) 723-1658 Bio BIO Professor Boneh heads the applied cryptography group and co-direct the computer security lab. Professor Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, web security, security for mobile devices, and cryptanalysis. He is the author of over a hundred publications in the field and is a Packard and Alfred P. Sloan fellow. He is a recipient of the 2014 ACM prize and the 2013 Godel prize. In 2011 Dr. Boneh received the Ishii award for industry education innovation. Professor Boneh received his Ph.D from Princeton University and joined Stanford in 1997. ACADEMIC APPOINTMENTS • Professor, Computer Science • Professor, Electrical Engineering • Senior Fellow, Freeman Spogli Institute for International Studies HONORS AND AWARDS • ACM prize, ACM (2015) • Simons investigator, Simons foundation (2015) • Godel prize, ACM (2013) • IACR fellow, IACR (2013) 4 OF 6 PROFESSIONAL EDUCATION • PhD, Princeton (1996) LINKS • http://crypto.stanford.edu/~dabo: http://crypto.stanford.edu/~dabo Page 1 of 2 Dan Boneh http://cap.stanford.edu/profiles/Dan_Boneh/ Teaching COURSES 2021-22 • Computer and Network Security: CS 155 (Spr) • Cryptocurrencies and blockchain technologies: CS 251 (Aut) •
    [Show full text]
  • To the New City of Brockville Zoning By-Law
    BROCKVILLE FREQUENTLY ASKED QUESTIONS | SUMMARY OF CHANGES | HOW TO USE THE NEW ZONING BY-LAW GUIDE TO THE NEW CITY OF BROCKVILLE ZONING BY-LAW FEBRUARY 2014 TABLE OF CONTENTS FREQUENTLY ASKED What is a Zoning By-law? . 2 QUESTIONS Why is the City updating its Zoning By-law? . 2 What is the City of Brockville’s Official Plan? . 2 What does the City’s Official Plan say about the P .2 Zoning By-law? . 2 How does the City enforce and implement its Zoning By-law? 3 How will the Zoning By-law update affect me? . 4 HOW HAS THE What if my zoning did change? Will the buildings and the use of my property continue to be legal? . 4 ZONING BY-LAW Have you recently applied for or received approval for a CHANGED? planning application or building permit? . 4 Modernized, expanded definitions . 7 P .5 Improved format and organization . 8 Special provisions and design requirements for the Downtown and Central Waterfront Area – New Schedule “B” . 9 HOW DO I New zones for future neighbourhoods . 10 USE THE NEW Other changes to the Zoning Map (Schedule “A”) . 11 ZONING BY-LAW? Structure of the Zoning By-law . 12 How to check your zoning and identify P .12 Applicable Regulations . 13 HOW DO I How do I provide input on the Draft Zoning By-law? . 18 PROVIDE INPUT ON THE DRAFT ZONING BY-LAW P .18 FREQUENTLY ASKED QUESTIONS WHY IS THE CITY UPDATING ITS ZONING BY-LAW? The City is updating its Zoning By-law because the City’s new Official Plan has been WHAT IS A ZONING approved and is now in-effect .
    [Show full text]
  • Remote Side-Channel Attacks on Anonymous Transactions
    Remote Side-Channel Attacks on Anonymous Transactions Florian Tramer and Dan Boneh, Stanford University; Kenny Paterson, ETH Zurich https://www.usenix.org/conference/usenixsecurity20/presentation/tramer This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Remote Side-Channel Attacks on Anonymous Transactions Florian Tramèr∗ Dan Boneh Kenneth G. Paterson Stanford University Stanford University ETH Zürich Abstract Bitcoin’s transaction graph. The same holds for many other Privacy-focused crypto-currencies, such as Zcash or Monero, crypto-currencies. aim to provide strong cryptographic guarantees for transaction For those who want transaction privacy on a public confidentiality and unlinkability. In this paper, we describe blockchain, systems like Zcash [45], Monero [47], and several side-channel attacks that let remote adversaries bypass these others offer differing degrees of unlinkability against a party protections. who records all the transactions in the network. We focus We present a general class of timing side-channel and in this paper on Zcash and Monero, since they are the two traffic-analysis attacks on receiver privacy. These attacks en- largest anonymous crypto-currencies by market capitaliza- able an active remote adversary to identify the (secret) payee tion. However our approach is more generally applicable, and of any transaction in Zcash or Monero. The attacks violate we expect other anonymous crypto-currencies to suffer from the privacy goals of these crypto-currencies by exploiting similar vulnerabilities. side-channel information leaked by the implementation of Zcash and Monero use fairly advanced cryptographic different system components.
    [Show full text]
  • ELIGIBILITY Para-Cycling Athletes: Must Be a United States Citizen With
    ELIGIBILITY Para-cycling Athletes: Must be a United States citizen with a USA racing nationality. LICENSING National Championships: Riders may have a current International or Domestic USA Cycling license (USA citizenship) or Foreign Federation license showing a USA racing nationality to register. World Championships Selection: Riders must have a current International USA Cycling license with a USA racing nationality on or before June 20, 2019 in order to be selected for the Team USA roster for the 2019 UCI Para-cycling Road World Championships. Selection procedures for the World Championships can be found on the U.S. Paralympics Cycling Website: https://www.teamusa.org/US- Paralympics/Sports/Cycling/Selection-Procedures REGULATIONS General: All events conducted under UCI Regulations, including UCI equipment regulations. Road Race and Time Trials: • No National Team Kit or National championship uniforms are allowed. • For the Road Race, only neutral service and official’s cars are allowed in the caravan. • For the Time Trial, bicycles and handcycles must be checked 15 minutes before the athlete’s assigned start time. Courtesy checks will be available from 1 hour before the first start. No follow vehicles are allowed. • For all sport classes in the road race, athletes are required to wear a helmet in the correct sport class color, or use an appropriately color helmet cover, as follows: RED MC5, WC5, MT2, MH4, WH4, MB WHITE MC4, WC4, MH3, WH3, WB, WT2 BLUE MC3, WC3, MH2, WT1 BLACK MH5, WH5, MC2, WC2, MT1 YELLOW MC1, WC1, WH2 GREEN MH1 ORANGE WH1 Handcycle Team Relay (TR): New National Championship event run under UCI and special regulations below: • Team Requirements: Teams eligible for the National Championship Team Relay, must be respect the following composition: o Teams of three athletes o Using the table below, the total of points for the three TR athletes may not be more than six (6) points which must include an athlete with a scoring point value of 1.
    [Show full text]
  • Mn. Rita Thistle ~Ested\
    ·- .. • • • +. RDAY . MAU II 14, 1931 Mn. Rita Thistle ~ested\ ._ . · BECK&T SENTENCED f /\IALITY AT DRY DOCK Charged Wit)l MurWof.. H~~d Prom th yd11 y R ord Thomae Peddle Killed The Incemore arri ed in ~1·n the f II win * n • 01111t REGINALD BOLAND HELD AS MATERIAL WITNESS t. John' from Liverpool on tl11' pr 11e ding · wh l'J I Rock,r tL :.vn, nu \\'rein'. dnv nl'tl'rnoon nbont Thursday, an<f\-sails for IUlifax • n t r1H•Nl. ;t:Ul. Thomn. l'1•tldl1'. ngt•tl !l_. and Bo ton tOday J turday) and aturday aftern0t1n nt n qu r- 1 Rr k. 011 \\' •dn .-clay. ;\fnr h 4th. l i'1·kl'I t .. wh ll · wu · hrou~h fo r 1•1111H1 of du ·k lnhor •r , wu ii; due in this port on Thntsday, ter past fi\'e o'clock, Hi ta Thi ti .-.t 10 A. ~r. thr cuttrt W1 al'iui.r 11 bin• ov•r• n kill1•<l in~ 1 1111 tly wh1•11 h1• f •II from 1 • l\lar h 19. he is heduled to widow of John T hi tic, wn nr· • Two mi1111tl'. aft<> r ".\!rs. 'I histlc o\'l' r hil'> f11dNI •my snit. to k I i1 t ht• p 1r111w1 of t ht• <I ·k. , triki111: sail Crom B08ton on turday, r ted on n char of murcl 'ring l111tl h 'Cll nl'rnig111•1 1. l ~ : i::innld I ~ \'1•r.lict 1·11lml y. niukiui: nu' c Ill· I h1• ti r~f g11 ll1•ry 11 111 I rol ni: from - 1\f nrch 21, and ha accommodation her It t band on D c<>mU~' r :n.
    [Show full text]
  • Para Cycling Information Sheet About the Sport Classification Explained
    Para cycling information sheet About the sport Para cycling is cycling for people with impairments resulting from a health condition (disability). Para athletes with physical impairments either compete on handcycles, tricycles or bicycles, while those with a visual impairment compete on tandems with a sighted ‘pilot’. Para cycling is divided into track and road events, with seven events in total. Classification explained In Para sport classification provides the structure for fair and equitable competition to ensure that winning is determined by skill, fitness, power, endurance, tactical ability and mental focus – the same factors that account for success in sport for able-bodied athletes. The Para sport classification assessment process identifies the eligibility of each Para athlete’s impairment, and groups them into a sport class according to the degree of activity limitation resulting from their impairment. Classification is sport-specific as an eligible impairment affects a Para athlete’s ability to perform in different sports to a different extent. Each Para sport has a different classification system. Standard Classification in detail Para-Cycling sport classes include: Handcycle sport classes H1 – 5: There are five different sport classes for handcycle racing. The lower numbers indicate a more severe activity limitation. Para athletes competing in the H1 classes have a complete loss of trunk and leg function and limited arm function, e.g. as a result of a spinal cord injury. Para athletes in the H4 class have limited or no leg function, but good trunk and arm function. Para cyclists in sport classes H1 – 4 compete in a reclined position. Para cyclists in the H5 sport class sit on their knees because they are able to use their arms and trunk to accelerate the handcycle.
    [Show full text]
  • Generalized Hierarchical Identity-Based Signcryption
    1078 JOURNAL OF COMPUTERS, VOL. 5, NO. 7, JULY 2010 Generalized Hierarchical Identity-Based Signcryption Hao Wang School of computer science and technology, Shandong University, Jinan, China Email: [email protected] Qiuliang Xu1 and Xiufeng Zhao1,2 1 School of computer science and technology, Shandong University, Jinan, China 2 Institute of Electronic Technology, Information Engineering University, Zhengzhou, China Email: [email protected], [email protected] Abstract—In this paper, we propose a generic method to allows delegation as above is called Hierarchical Identity- construct Hierarchical Identity-Based Signcryption scheme. Based Encryption (HIBE). In HIBE, messages are Using this method, a Hierarchical Identity-Based Sign- encrypted for identity-vectors, representing nodes in the cryption scheme can be converted from any Hierarchical identity hierarchy. This concept was introduced by Identity-Based Encryption scheme. Then, we give a concrete Horwitz and Lynn [9], who also described a partial instantiation, which is the first constant-size fully secure solution to it, and the first fully functional HIBE system hierarchical identity-based signcryption scheme in the standard model. Furthermore, our scheme can achieve was described by Gentry and Silverberg [10]. CCA2 security level without using any additional crypto- In many situations we want to enjoy confidentiality, graphy primitive. authenticity and non-repudiation of message simulta- neously. The general IBE (HIBE) can not guarantee the Index Terms—hierarchical identity-based signcryption, fully authenticity and non-repudiation. A traditional method to secure, constant-size ciphertext, composite order bilinear solve this problem is to digitally sign a message then group followed by an encryption (signature-then-encryption) that can have two problems: low efficiency and high cost of such summation, and the case that any arbitrary I.
    [Show full text]
  • A Fully Homomorphic Encryption Scheme
    A FULLY HOMOMORPHIC ENCRYPTION SCHEME A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Craig Gentry September 2009 °c Copyright by Craig Gentry 2009 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Dan Boneh) Principal Adviser I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (John Mitchell) I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Serge Plotkin) Approved for the University Committee on Graduate Studies. iii Abstract We propose the ¯rst fully homomorphic encryption scheme, solving a central open problem in cryptography. Such a scheme allows one to compute arbitrary functions over encrypted data without the decryption key { i.e., given encryptions E(m1);:::;E(mt) of m1; : : : ; mt, one can e±ciently compute a compact ciphertext that encrypts f(m1; : : : ; mt) for any e±- ciently computable function f. This problem was posed by Rivest et al. in 1978. Fully homomorphic encryption has numerous applications. For example, it enables private queries to a search engine { the user submits an encrypted query and the search engine computes a succinct encrypted answer without ever looking at the query in the clear.
    [Show full text]